1 What to Do When a Virus Is Found 


F-PROT Professional will tell you if there is a virus on your computer. If no viruses are 
detected, but you still suspect that something odd is going on, you might try the Heuristic 
mode of F-PROT Professional for DOS. That way F-PROT Professional finds even unknown 
viruses. If Heuristics reports nothing, then you should inspect other signs of infection. 


Other SSign Of Infection 


If F-PROT finds no virus, but you experience the following symptoms, you might be infected 
by a new, unknown virus: 


increased use of memory; 


computer operating very slowly; 

delay every time an application is executed; 

inexplicable changes in executable or other files. 

a change in the latest alteration date of files, without apparent reason; 
abnormal write-protection errors; 

Windows fails to start or install; 

Windows warns that 32-bit disk access is turned off 


incapability to save Word documents to any other directory except 
TEMPLATE; 


floppy disks fail to work normally. 


Unfortunately, these early warnings of a possible virus infection are not usually obvious 
and can be caused by a wide variety of reasons. 


If the virus has an activation routine and it has passed into the active phase, it is usually 
very easy to detect: 


files disappear; 

the hard disk is formatted; 

the computer does not start; 

information changes; 

certain files cannot be loaded or executed; 


the virus gives some other visible signs like writing messages to the screen 
or plays music. 


1.1 Don’t Panic 


If your computer is infected with a virus, don’t panic! Sometimes a badly thought out 
attempt to remove a virus will do much more damage that the virus might have done. The 
first actions on discovering a virus infection should be: 


e Turn off the power 
e Inform the system administrator 


e Puta note on the infected computer, so that it will not be used before it has 
been disinfected 


e Inform all those people to whom you have given information on a diskette or 
delivered executable files 


e Ifyou still feel like panicing, go get a cup of coffee. The virus will wait. 


At this point, it would probably be a good idea to read the description on the operation of 
the virus. Such descriptions are available in F-PROT for Windows’ Help Menu and in 
Viruses/Information menu in F-PROT for DOS. Latest virus descriptions are viewable at 
Data Fellows’ web site at http://www. DataFellows.com/vir-info/ 


1.1.1 What kind of problem do you have?DOS,Windows 3rs 


When clearing a virus infection, you should first get basic information on the situation: 
e Where is the virus? 
e¢ What type of virus is it? 


¢ What operating system are you running? 
All of these points make a difference on how the virus should be removed. 


1.1.2 Where is the virus? 


You have several options here. When F-PROT detects a virus, it will tell you where the 
infection was found. Write it down. The virus could have been found from: 


e Memory 

¢ Boot sectors on hard drive 

¢ Boot sector on a floppy 

e Files on a hard drive 

e Files on a floppy or removable disk 
e Files on a network drive 


1.1.3 What type of virus is it? 


The options are: 
¢ Boot virus 
e Program virus 


e Macro virus 


Boot viruses and program viruses can stay resident in memory, in which case F-PROT will 
detect it from there during the initial memory test. At this time, you will not yet know 
whether you have a boot or program infector. 


Otherwise the type of the virus is easy to determine: if a virus is found from a DOS boot 
sector or Master boot sector (MBR), you have a boot virus. If the infection is in COM, EXE 
or SYS files, you have a program virus. If the infection is in document (typically, DOC or 
XLS) files, you have a macro virus. 


It is possible to have a combination of these. For example, the Junkie virus infects boot 
sectors and COM files. Also, you might have several different viruses on one machine. 


1.1.4 What operating system are you running? 


The options are: 


e DOS 

e DOS / Windows 3.x 
e Windows 95 

e Windows NT 


¢ Something else 


If you’re running OS/2, consult the F-PROT for OS/2 manual for instuctions or contact F- 
PROT Support. 


Instructions for disinfecting under each operating system is outlined in the sections below. 
Choose your own section to continue. 


Important: If you run into problems during disinfection because F-PROT reports “A new or 
modified variant” of the virus and refuses to disinfect it, please contact F-PROT Support. 
You might have a new virus, which we need to analyse in order to add exact detection and 
disinfection of it to F-PROT. Please see instructions in Section XXX, “Sending virus 
samples for analysis”. 


Important: Make sure you check all places where the virus might have ended. Floppy 
disks, network drives, backup tapes, removable drives, files sent to other people via e-mail 
etc. 


t isstar system Disinfecting under DOS 


1.1.5 Virus on a floppy 


If F-PROT for DOS find a virus from a floppy, run F-PROT Professional for DOS from the 
hard drive (execute F-PROT.EXE). Open up Scan menu, make sure that the Target menu is 
set to A: and Action is set to Disinfect, and choose Begin Scan. When the virus is found, 
follow the instructions given on the screen and let F-PROT Professional remove the virus. 
If F-PROT Professional cannot disinfect the virus, it will either rename the file or delete it, 
first asking for confirmation. 


Alternatively, you can just copy the clean files from the floppy to a directory on the hard 
drive and throw away the floppy. Floppies are cheap and this is a quick and easy way to 
get rid of the problem. 


1.1.6 Virus in Memory 


If F-PROT for DOS finds a virus during initial memory test, you need to re-run F-PROT ina 
clean environment, without the virus lurking in the memory. Easiest way to do this is to 
reboot the machine so that the virus does not get re-loaded to memory. For that you will 
need a clean startup DOS system diskette. The first diskette of DOS installation diskette 
set will do. It would be easiest to use a self-made bootable diskette. Instructions on how to 
make the Anti-Virus diskette are in Section XXX, “Creating an Anti-Virus Diskette.” 


Turn down the power supply of the infected computer, insert the clean startup disk and 
start the machine. If the machine does not boot from the floppy, make sure your CMOS 
Setup settings are configured to boot from the floppy (remeber to turn this setting back on 
after you’re done). 


After the computer re-started and the prompt appeared, remove the startup disk from your 
computer’s startup drive, and insert the F-PROT Professional for DOS diskette. Run 
F-PROT Professional from the diskette, by typing F-PROT <ENTER>. F-PROT should start 
and the memory test should find no viruses. If it does, make sure re-create the boot floppy 
on a clean machine, following the instructions in Section XXX, “Creating an Anti-Virus 
Diskette”. 


After F-PROT has started, open up Scan menu, make sure that the Target menu is set to 
Hard Drive and Action is set to Disinfect, and choose Begin Scan. When the virus is 
found, follow the instructions given on the screen and let F-PROT Professional remove the 
virus. 


If F-PROT Professional cannot disinfect a file virus, it will either rename the file or delete 
it, first asking for confirmation. The easiest way to recover such a file is to reinstall it or 
restore it from the backups. Contact F-PROT Support if needed. 


If F-PROT Professional for DOS is unable to remove a boot sector virus, but you have 
created backups of your boot sectors with F-RESCUE, you can restore them to overwrite 
the virus. See Section XXX, “Using F-RESCUE”. 


If F-PROT Professional for DOS is unable to remove a boot sector virus but you have not 
run F-RESCUE beforehand, it might be possible to remove the virus manually. See Section 


XXX, “Manually repairing the MBR” or Section XXX, “Manually repairing the DOS boot 
sector”. Contact F-PROT Support if needed. 


1.1.7 Virus in program files on hard drive or network drive 


If F-PROT for DOS or VIRSTOP finds a virus from the program files (COM, EXE, etc) on the 
hard drive or a network drive, but does not report it in the memory, you have a non- 
resident program virus or a resident virus which you have not executed. In either case you 
don’t need to boot from a clean floppy. Run F-PROT Professional for DOS from the hard 
drive (execute F-PROT.EXE). 


After F-PROT has started, open up Scan menu, make sure that the Target menu is set to 
Hard Drive or Network and Action is set to Disinfect, and choose Begin Scan. When 
the virus is found, follow the instructions given on the screen and let F-PROT Professional 
remove the virus. If F-PROT Professional cannot disinfect the virus, it will either rename 
the file or delete it, first asking for confirmation. The easiest way to recover such a file is to 
reinstall it or restore it from the backups. Contact F-PROT Support if needed. 


If the infection was on a network drive, it is important to make sure all workstations are 
cleaned at the same time to prevent re-infection. One way to do this is to force everybody 
off the network and include the F-PROT command to login script. Also revise the access 
levels users have on the directories which were infected to prevent the problem from re- 
occuring. 


1.1.8 Virus in document files on hard drive or network drive 


If F-PROT for DOS finds a virus from document files (DOC, XLS, etc) on the hard drive or 
network drive, you have a macro virus. These never stay resident in memory, so you don’t 
need to boot from a clean floppy. Just make sure you do the disinfection after exiting Word 
and Excel to make sure they are not locking any document files. 


To disinfect, run the F-MACRO program from F-PROT for DOS directory. Execute it with a 
command line like this: 


F-MACRO C: /DISINF 
or, for example, 
F-MACRO U: X: Y: Z: /DISINF 


When the virus is found, follow the instructions given on the screen and let F-MACRO 
remove the virus. If F-MACRO is unable to remove the virus, you might want to download 
the latest MACRO.DEF update via the internet from http://www. DataFellows.com/macro/. 


Important: If F-PROT for DOS and F-MACRO disagree whether a file is infected or not, F- 
MACRO is right. It uses the same OLE2 macro scanning engine as F-PROT for Windows. F- 
PROT.EXE uses a simple engine which might flag a already-cleaned file as still infected. To 
fix such a problem, open the file to Word and do a File/Save As operation to clean the 
remnants of the virus code from the file. 


If the infection was on a network drive, it is important to make sure all workstations are 
cleaned at the same time to prevent re-infection. One way to do this is to force everybody 
off the network and include the F-MACRO command to login script. 


1.2 Disinfecting under Windows 3.x 


1.2.1 Virus on a floppy 


If F-PROT for Windows or Gatekeeper find a virus from a floppy, run F-PROT Professional 
for Windows from the Program Manager. Open up the Settings for “Scan floppy” task and 
make sure that the Action is set to Disinfect. Then start the task from the task bar. When 
the virus is found, follow the instructions given on the screen and let F-PROT Professional 
remove the virus. If F-PROT Professional cannot disinfect the virus, it will either rename 
the file or delete it, first asking for confirmation. 


Alternatively, you can just copy the clean files from the floppy to a directory on the hard 
drive and throw away the floppy. Floppies are cheap and this is a quick and easy way to 
get rid of the problem. 


1.2.2 Virus in Memory 


If F-PROT for Windows finds a virus during initial memory test, you need to re-run F-PROT 
in a clean environment, without the virus lurking in the memory. Easiest way to do this is 
to reboot the machine to DOS so that the virus does not get re-loaded to memory. For that 
you will need a clean startup DOS system diskette. The first diskette of DOS installation 
diskette set will do. It would be easiest to use a self-made bootable diskette. Instructions 
on how to make the Anti-Virus diskette are in Section XXX, “Creating an Anti-Virus 
Diskette.” 


Turn down the power supply of the infected computer, insert the clean startup disk and 
start the machine. If the machine does not boot from the floppy, make sure your CMOS 
Setup settings are configured to boot from the floppy (remeber to turn this setting back on 
after you’re done). 


After the computer re-started and the prompt appeared, remove the startup disk from your 
computer’s startup drive. Next, we will execute F-PROT for DOS - you can not run F-PROT 
for Windows since Windows won’t start after a floppy boot. Insert the F-PROT Professional 
for DOS diskette. Run F-PROT from the diskette, by typing F-PROT <ENTER>. F-PROT 
should start and the memory test should find no viruses. If it does, make sure re-create the 
boot floppy on a clean machine, following the instructions in Section XXX, “Creating an 
Anti-Virus Diskette”. 


After F-PROT has started, open up Scan menu, make sure that the Target menu is set to 
Hard Drive and Action is set to Disinfect, and choose Begin Scan. When the virus is 
found, follow the instructions given on the screen and let F-PROT Professional remove the 
virus. 


If F-PROT Professional cannot disinfect a file virus, it will either rename the file or delete 
it, first asking for confirmation. The easiest way to recover such a file is to reinstall it or 
restore it from the backups. Contact F-PROT Support if needed. 


If F-PROT Professional for DOS is unable to remove a boot sector virus, but you have 
created backups of your boot sectors with F-RESCUE, you can restore them to overwrite 
the virus. See Section XXX, “Using F-RESCUE”. 


If F-PROT Professional for DOS is unable to remove a boot sector virus but you have not 
run F-RESCUE beforehand, it might be possible to remove the virus manually. See Section 
XXX, “Manually repairing the MBR” or Section XXX, “Manually repairing the DOS boot 
sector”. Contact F-PROT Support if needed. 


1.2.3 Virus in program files on hard drive or network drive 


If F-PROT for Windows or Gatekeeper finds a virus from the program files (COM, EXE, etc) 
on the hard drive or a network drive, but does not report it in the memory, you have a non- 
resident program virus or a resident virus which you have not executed. In either case you 
don’t need to boot from a clean floppy. Run F-PROT Professional for Windows from the 
Program Manager. Open up the Settings for “Scan Hard Drive” task and make sure that 
the Action is set to Disinfect. Then start the task from the task bar. When the virus is 
found, follow the instructions given on the screen and let F-PROT Professional remove the 
virus. If F-PROT Professional cannot disinfect the virus, it will either rename the file or 
delete it, first asking for confirmation. The easiest way to recover such a file is to reinstall 
it or restore it from the backups. Contact F-PROT Support if needed. 


If the infection was on a network drive, it is important to make sure all workstations are 
cleaned at the same time to prevent re-infection. One way to do this is to force everybody 
off the network and include a hard drive scan made with F-PROT for DOS to the system 
login script. Also revise the access levels users have on the directories which were 
infected to prevent the problem from re-occuring. 


1.2.4 Virus in document files on hard drive or network drive 


If F-PROT for Windows or Gatekeeper finds a virus from document files (DOC, XLS, etc) on 
the hard drive or network drive, you have a macro virus. These never stay resident in 
memory, so you don’t need to boot from a clean floppy. Just make sure you do the 
disinfection after exiting Word and Excel to make sure they are not locking any document 
files. 


To disinfect, r 


If F-PROT for Windows is unable to remove the virus, you might want to download the 
latest MACRO.DEF update via the internet from http://www.DataFellows.com/macro/. 


If the infection was on a network drive, it is important to make sure all workstations are 
cleaned at the same time to prevent re-infection. One way to do this is to force everybody 
off the network and include a hard drive scan made with the DOS-based F-MACRO 
program into the system login script. 


1.3 Disinfecting under Windows 95 


If F-PROT for Windows95 or Gatekeeper f a virus from a floppy, run F-PROT for 95 from 
the Start Menu. OpSettings fScan floppy” task and make sure that the Action.Then start 
the task rom t follow the instructions given on theAlternatively, you can just copy the clean 
files from the floppy to a directory on the hard drive and throw away the floppy. Floppies 
are cheap and this is a quick and easy way to get rid of the problem. 
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power supply of the infected computer,. Next, we will execute F-PROT for DOS - you can 
not run F-PROT for Windows since Windows won’t start after a floppy boot.nsert the 
F-PROT Professional for DOS diskette. Run F-PROT from the diskette, by typing F-PROT 
<ENTER>. F-PROT should start and the memory test should find no viruses. If it does, 
make sure re-create the boot floppy on a clean machine, following the instructions in 
Section XXX, “Creating an Anti-Virus Diskette”. 


Scan menu, make sure that the Targenu rus is found, fonstructionIf you get an error 
message which says that low-level access to hard drive is preventeto use the LOCK 
command, you are using a Windows 95 boot floppy instead of a DOS boot floppy. Re-create 
a DOS bootable floppy or repeate the cold boot and give the LOCK command at the prompt 
before executing F-PROT.If F-PROT Professional cannot disinfect a file virus, it will either 
rename the file or delete it, first asking for confirmation. The easiest way to recover such a 
file is to reinstall it or restore it from the backups. Contact F-PROT Support if needed. 


Windows 95 or per finds a virusdrive, but does not report it in the memory, you have a 
non-resident program virus or a resident virus which you have not executed. In either case 
you don’t need to boot from a clean floppy. Run F-PROT Professional for Windows 95 from 
the Start Menu. Open up the Settings for “Scan Hard Drive” task and make sure that the 
Action is set to Disinfect. Then start the task from the task bar. When the virus is found, 
follow the instructions given on the screen and let F-PROT Professional remove the virus. 
If F-PROT Professional cannot disinfect the virus, it will either rename the file or delete it, 
first asking for confirmation. The easiest way to recover such a file is to reinstall it or 
restore it from the backups. Contact F-PROT Support if needed. 


If the infection was on a network drive, it is important to make sure all workstations are 
cleaned at the same time to prevent re-infection. One way to do this is to force everybody 
off the network and include a hard drive scan made with for DOSsystem login script. Also 
revise the access levels users have on the directories which were infected to prevent the 
problem from re-occuring. 


If F-PROT for Windows 95 or Gatekeeper finds a virus from document files (DOC, XLSTo 
disinfect, run F-PROT Prund, follow the instructions given on treen and let F-PROT 
Professional remove the virus. 


Int to downlolatest MACRO.DEF u a netork drive, it is important to make sure all 
workstations are cleaned at the same time to prevent re-infection. One way to do this is to 
force everybody off the network and include a hard drive scan made with the DOS-based 
F-MACRO program into the system login script. 


NTfinds a virus from a floppy, run F-PROT NT fro the . Open up the Settings for “Scan 
floppy” task and make sure that the Action is set to Disinfect. Then start the s is found, 
follow the instructions given on the screen and let F-PROT Professional remove the virus. 
If F-PROT Professional cannot disinfect the virus, it will either rename the file or delete it, 
first asking for confirmation. 


. One way to do this is to force ybod for DOS to the system logvent the problem ccuring. 
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NT Start Menu is unab 


1.3.3 If NT doesn’t boot due to a virus 


might be caused by a boot virus. In this case, you need to run F-PROT. Since NT wor DOS. 
Reboot the machine with a clean startup DOS system disketette of DOS installatioInsert 
the F-PROT Professional for DOS diskette. Run F-PROT from the diskete, by typing F-PROT 
<ENTER>. F-PROT shoulAfter F-PROT has started, open up Hard Drive and Action is set 
to Begin Scan. When is found,ow thven on the screen and let F-PROT Profestry using 
your NT rescue disk (created beforehand with RDISK (NT utility) or during NT installation. 
Cold reboot from the NT rescue disk and choose ‘Recreate boot sectors’ option.If F-PROT 


Professional for DOS is unable to remove a boot sector virus but you have do not have a 
working NT rescue diskiring the DOS boot sector”. Contact F-PROT Support if needed. 
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If F-PROT is unable to disinfect a MBR boot virus and restoring the MBR from a backup 
created by F-RESCUE or NT’s RDISK fails, you can try to manually recreate the MBR area. 
MBR (Master Boot Record) is one sector (512 bytes) located at the very start of your hard 
drive. These instructions work with many (but not all) DOS, Windows, Windows 95, 
Windows NT, OS/2 and even PC-based Unix systems. 


To attempt repair, use a startup system diskette with DOS version 5 or higher and make 
sure that the file FDISK.EXE is on that diskette. Write-protect the diskette. 


Cold start the infected computer from this diskette. Do not rely on just pressing CTRL, ALT, 
DEL; instead press the Reset button or turn the computer off and then back on. 


Check if you are able to access all partitions on the hard disk(s) normally. For example, if 
command dir C:\ produces a normal file list of drive C:, then you know that partition of C: 
is recognized. Test other partitions too. If partitions are not recognized, it might be 
because the virus encrypts the partition data or overwrites it. In this case, the generic 
disinfection method described below is not possible. Do not continue or you will loose 
your data. Contact F-PROT Support instead. 

If you can access C: and other partitions, type in the command “FDISK /MBR’”. This will 
overwrite the code part of the MBR, in effect killing the virus. If you are using Novell DOS 
7.0, you need to select this option from the menu, instead of giving a command-line switch. 


Now re-start the computer normally from the hard disk and re-check that everything is 
operating normally. Do not forget to check your floppies for the infection as well. 


1.5 Manually repairing the DOS boot sector 


If F-PROT is unable to disinfect a boot sector virus and restoring the boot sector from a 
backup created by F-RESCUE or NT’s RDISK fails, you can try to manually recreate the 
boot sector. Boot sector consists of a single sector (512 bytes) located at the start of every 
partition. A single hard drive can have many boot sectors. These instructions work with 
many (but not all) DOS, Windows and Windows 95 systems. 


Use a startup system diskette and make sure that the SYS.COM file is on that diskette. The 
DOS version on the diskette should be EXACTLY the same as the one on the hard disk. 
Write-protect the diskette. 


Cold start the computer from the diskette and give the command “SYS C:” 


In addition to copying the system files over, which is not necessary to remove the virus, 
this will overwrite DOS boot sector with clean code, killing the virus. 


- the e-check that everything is operating normally. Do not forget to check your floppies for 
the infection as well. 


1.5.1 ed latted fdisket, tROT. start-up, thesfdisk/mbt-up, 
becausted disitaruWindthe virusso a usert-upe-sst 
diskte, aed, infeeord c infbe stth frted to disable 
diskett cors’ 


